Wednesday, March 18, 2009

We've seen several cases in the past where Law Enforcement action is triggered by one criminal actively and publicly spreading information (or mis-information) about another criminal's activities.

That seems to be the case in what is happening now, as a spammer is using an existing spam botnet to send messages about the Russian credit card trading site "carder.su".

Beginning on the afternoon of March 16th, the UAB Spam Data Mine began to receive copies of this email message:

So far we have 142 copies of this email, which came from 138 different email addresses, and were sent to 122 of our unique trap accounts. The emails had 13 different subject lines, but were otherwise the same:

There were also 132 unique IP addresses in the email headers, corresponding to the 132 bot machines which were used to send us this spam. It would be interesting to know what other spam is coming from these same bot machines. Fortunately, when you have a Spam Data Mine sitting around, that's a pretty simple query to make.

(Full list of IPs at the end of this article . . . if you recognize the botnet please let me know.)

Unfortunately, some IP addresses are less helpful than others . . . is it valid to say that these emails came from the same botnet, for example, when we haven't seen other email from them since October?

The next one is far more useful, because although it shows a long history of spam from the computer at 203.197.115.82 (in India), it also has spam from two weeks ago, which we know by the subject is a sign of a Waledac infected computer.

I have to say, the 2x4.ru folks have suspended some of the porn sites that drop malware, so maybe they only cater to certain types of criminals. "gigatube.net" and "eroticzzz.info" were suspended for dropping malware, as was "swiss-warez.biz"